THESIS FOR THE DEGREE OF LICENTIATE OF ENGINEERING Aspects of the Modelling and Performance of Intrusion Detection

With the ever increased use of computers for critical systems, computer security— the protection of data and computer systems from intentional, malicious intervention—is attracting increasing attention. Many methods of defence already exist, of which one is the strong perimeter defence. This thesis is concerned with one such method of defence, the automated computer security intrusion detection system, or intrusion detection system (IDS) for short. The field has existed for some years, but this thesis demonstrates that several fundamental factors in the application of intrusion detection systems still remain unaddressed. Two of the main factors are effectiveness—how to make the intrusion detection system classify malign and benign activity correctly—and efficiency—how to run the intrusion detection system in as cost effective a manner as possible. Although these areas are beginning to receive attention, many basic parameters remain to be investigated before any real conclusion as to the applicability of intrusion detection can be reached. This thesis considers such factors in the form of both an audit data reduction hypothesis and its applicability, and a theoretical study into the factors limiting the effectiveness of intrusion detection systems. The main conclusion is that making a small, a priori selection of audit data for later analysis not only greatly reduces the task in hand, but provides a sufficient basis on which to base the intrusion detection decision. Furthermore, in making the intrusion detection decision, under a reasonable set of circumstances it is the false alarm rate that is the dominating factor.